[FEATURE REQUEST] match.compound runner
#63278
Comments
lkubb
added
Feature
|
I would categorise this as a security issue, rather than a feature request. Though it's not generally possible to have "secure" compound matchers, because minions control what their grains are,. |
OrangeDog
added
Bug
Fine with me. It definitely is a security issue, but you would have to opt in by a) choosing to use compound expressions and b) allowing peer communication from the CA minion. Not sure if there is a warning in the docs currently, but my
Agreed, but this is also opt-in and should probably be warned against as well after this security issue has been remedied. |
Is your feature request related to a problem? Please describe.
The
x509modules support signing policies that can be restricted to specific minions. These restrictions can be specified either by globbing on the minion ID or as a compound matcher expression. If you opt for the latter, the CA server queries the minion itself if it matches the expression. This can be a security risk if the minion is compromised.If someone called you, saying: "Hey, I'm your bank, please send me a copy of your passport!" and you would verify their claim by calling back on the same number and asking them, "Are you really my bank?", you will be vulnerable to scammers. "Sure, mate. Now gib ID."
Describe the solution you'd like
Implement a
match.compoundrunner that the CA server can query to verify the minion (the master is trusted by definition).Describe alternatives you've considered
Not use compound matcher expressions for restricting signing policies.
The text was updated successfully, but these errors were encountered: